open-webui's image-edit endpoint blindly fetches any user-supplied URL server-side, with no restriction against private/internal address space (CWE-918), letting an authenticated user turn the server into a proxy for scanning the local network. This is a medium-severity, low-complexity flaw (CVSS 4.3, AC:L) that any low-privileged account can trigger, and while the SSRF is blind, response differentials reliably reveal which internal ports are open, and any of the 113 other CVEs on this package's history plus the fact that open-webui runs with broad network access make this a meaningful reconnaissance primitive rather than a curiosity. EPSS sits in the top 87th percentile for likelihood but there's no public exploit code, no Nuclei template, and it isn't in CISA KEV, so this is not an active-exploitation emergency — treat it as an infrastructure hardening gap. No patched version is listed yet (affects <= 0.7.2), so mitigate now by blocking outbound requests from the open-webui host to RFC1918/localhost/link-local ranges (including the cloud metadata IP 169.254.169.254) at the network layer, and watch GHSA-jgx9-jr5x-mvpv for an official fix.
What is the risk?
Low-to-moderate risk in isolation: the flaw requires an authenticated (even low-privilege) account, has low attack complexity, and yields no direct data disclosure because the SSRF is blind — impact is limited to confirming open/closed state of internal ports. Risk rises sharply in environments where open-webui is deployed with unrestricted network reach to sensitive internal services (databases, internal APIs, cloud metadata endpoints, orchestration tooling), since the port-scan capability becomes a stepping stone for identifying secondary targets. The lack of a public exploit or KEV listing keeps urgency moderate, but the trivial exploitation mechanics (a single crafted POST) mean it will be easy to weaponize once attention increases.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | <= 0.7.2 | No patch |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
There is no patched version currently listed, so mitigation is primarily network-level: enforce egress filtering/allowlisting on the host running open-webui so it cannot reach RFC1918 ranges, localhost, link-local addresses, or cloud metadata IPs (169.254.169.254); place the service behind an outbound proxy that denies internal destinations; and segment open-webui away from sensitive internal services regardless of application-layer fixes. Application-side, disable or restrict the image-edit-via-URL feature if it isn't business-critical, and monitor for a fix landing at GHSA-jgx9-jr5x-mvpv to upgrade once available. Detection-wise, alert on outbound HTTP requests from the open-webui process/container to internal IP ranges or on unusual bursts of failed/successful GETs consistent with port-scan patterns in application or network logs.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-34225?
open-webui's image-edit endpoint blindly fetches any user-supplied URL server-side, with no restriction against private/internal address space (CWE-918), letting an authenticated user turn the server into a proxy for scanning the local network. This is a medium-severity, low-complexity flaw (CVSS 4.3, AC:L) that any low-privileged account can trigger, and while the SSRF is blind, response differentials reliably reveal which internal ports are open, and any of the 113 other CVEs on this package's history plus the fact that open-webui runs with broad network access make this a meaningful reconnaissance primitive rather than a curiosity. EPSS sits in the top 87th percentile for likelihood but there's no public exploit code, no Nuclei template, and it isn't in CISA KEV, so this is not an active-exploitation emergency — treat it as an infrastructure hardening gap. No patched version is listed yet (affects <= 0.7.2), so mitigate now by blocking outbound requests from the open-webui host to RFC1918/localhost/link-local ranges (including the cloud metadata IP 169.254.169.254) at the network layer, and watch GHSA-jgx9-jr5x-mvpv for an official fix.
Is CVE-2026-34225 actively exploited?
No confirmed active exploitation of CVE-2026-34225 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-34225?
There is no patched version currently listed, so mitigation is primarily network-level: enforce egress filtering/allowlisting on the host running open-webui so it cannot reach RFC1918 ranges, localhost, link-local addresses, or cloud metadata IPs (169.254.169.254); place the service behind an outbound proxy that denies internal destinations; and segment open-webui away from sensitive internal services regardless of application-layer fixes. Application-side, disable or restrict the image-edit-via-URL feature if it isn't business-critical, and monitor for a fix landing at GHSA-jgx9-jr5x-mvpv to upgrade once available. Detection-wise, alert on outbound HTTP requests from the open-webui process/container to internal IP ranges or on unusual bursts of failed/successful GETs consistent with port-scan patterns in application or network logs.
What systems are affected by CVE-2026-34225?
This vulnerability affects the following AI/ML architecture patterns: model serving, LLM web UI / chat interfaces, internal AI infrastructure networks.
What is the CVSS score for CVE-2026-34225?
CVE-2026-34225 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.23%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0075 Cloud Service Discovery Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary There is a blind server side request forgery in the functionality that allows editing an image via a prompt. The affected function will perform a GET request on the URL provided by the user. There is no restriction on the domain of the provided URL allowing the local address space to be interacted with. Since the SSRF is blind (the response cannot be read) impact is port scanning of the local network because it can be confirmed if the port is open based on if the GET request failed. ### Details The vulnerability occurs here: https://github.com/open-webui/open-webui/blob/2b26355002064228e9b671339f8f3fb9d1fafa73/backend/open_webui/routers/images.py#L850-L916 Line 911 shows the user provided URL passed to the function `load_url_image`. Within this function on line 883 HTTP/HTTPs URLs are trusted blindly and called asynchronously with `requests.get`. ### PoC The vulnerability can be reproduced with the following curl command: ``` curl -X POST http://localhost:3000/api/v1/images/edit \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"form_data":{ "image": "<url>", "prompt": "poc"} }' ``` ### Impact Response differentials can be used to port scan the local network: <img width="3016" height="736" alt="image" src="https://github.com/user-attachments/assets/93b4df52-b23c-4ed7-a5fa-9cbedb30091c" /> This can be automated to iterate through the entire port range to determine open ports. If the service running on an open port can be inferred the user may be able to interact with it in a meaningful way if the service offers any state changing GET request endpoints. ### Remediation Restrict provided URLs from local address space.
Exploitation Scenario
An attacker who holds any valid, even low-privileged, open-webui account (obtained via credential stuffing, an open self-registration flow, or an intentionally provisioned test user) issues repeated POST requests to /api/v1/images/edit, substituting the image URL with internal targets such as http://10.0.0.5:6379, http://localhost:8500, or http://169.254.169.254/latest/meta-data/. By observing which requests succeed versus fail (or differ in timing), the attacker builds a map of live internal hosts and open ports — Redis, etcd, internal admin panels, cloud metadata — all without ever seeing response bodies. If any discovered service exposes an unauthenticated, state-changing GET endpoint (e.g., a cache-flush or admin-action URL), the attacker can trigger it blind, turning pure reconnaissance into limited unauthorized action against internal infrastructure.
Weaknesses (CWE)
CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui